
Research
/Security News
jscrambler npm Package Compromised in Supply Chain Attack
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.
openai-ws-opencode
Advanced tools
Standalone OpenCode provider plugin for routing OpenAI Responses API streaming requests over WebSocket transport.
openai-wswss://api.openai.com/v1/responseswss://chatgpt.com/backend-api/codex/responses/v1/models IDs for API keys, bundled table fallback for bothnpm install -g openai-ws-opencode
openai-ws-opencode setup --global
opencode auth login openai-ws
For project-local setup:
openai-ws-opencode setup --project
opencode auth login openai-ws
The setup command is idempotent. It adds the npm plugin entry and a fallback provider.openai-ws model registry to opencode.json, preserving existing user model overrides.
At setup and runtime the plugin attempts short best-effort model discovery for the selected auth mode. ChatGPT/Codex OAuth uses https://chatgpt.com/backend-api/codex/models, accepts provider models or data catalogs, and maps flat or nested model metadata. It resolves the current Codex alpha version from npm's small dist-tags response and caches it for inference identity headers. API-key auth uses https://api.openai.com/v1/models to discover GPT-5 family IDs. Setup writes discovered WebSocket-capable models into opencode.json; runtime refreshes the active provider from the authenticated catalog. Both paths remain fail-soft and fall back to the bundled table if discovery is unavailable.
The transport allows one active turn per session scope. A concurrent turn for the same session fails fast to HTTP fallback; independent sessions can use separate sockets in parallel.
Set OPENAI_WS_OPENCODE_SKIP_CATALOG=1 to skip runtime catalog lookups and use only the bundled fallback table plus your config overrides.
If you do not want to use the setup command, add this shape to your OpenCode config and copy model entries from openai-ws-opencode setup --path <temp-file> output:
{
"$schema": "https://opencode.ai/config.json",
"plugin": ["openai-ws-opencode@latest"],
"provider": {
"openai-ws": {
"name": "OpenAI WebSocket",
"api": "https://api.openai.com/v1",
"npm": "@ai-sdk/openai",
"models": {
"gpt-5.3-codex": {
"name": "GPT 5.3 Codex (WebSocket)",
"reasoning": true,
"temperature": false,
"attachment": true,
"tool_call": true,
"limit": { "context": 258400, "output": 128000 },
"modalities": { "input": ["text", "image"], "output": ["text"] },
"options": {},
"provider": { "npm": "@ai-sdk/openai", "api": "https://api.openai.com/v1" }
}
}
}
}
}
Choose OpenAI (WebSocket) - API Key during opencode auth login openai-ws.
This path uses the public OpenAI Responses WebSocket endpoint and sends:
Authorization: Bearer <OPENAI_API_KEY>OpenAI-Beta: responses_websockets=2026-02-06Choose the browser or headless ChatGPT Pro/Plus OAuth option during opencode auth login openai-ws.
This path uses the Codex/ChatGPT backend and sends:
Authorization: Bearer <access-token>ChatGPT-Account-ID when availableoriginator: codex-tuiversion: <current Codex alpha version>x-codex-beta-features: remote_compaction_v2The OAuth Responses WebSocket is GA, so this path omits OpenAI-Beta.
Important: the OAuth/Codex WebSocket path is unofficial, reuses Codex OAuth behavior, targets a private ChatGPT backend, can break without notice, and may carry account or terms-of-service risk. This project is not affiliated with OpenAI or OpenCode.
From this repo:
bun install
bun run build
npm pack
Then point OpenCode at the packed tarball through the plugin array:
{
"plugin": ["openai-ws-opencode@file:/absolute/path/openai-ws-opencode-0.1.5.tgz"]
}
Direct file:///absolute/path/dist/index.js imports are useful for debugging, but npm/tarball installs better match how OpenCode resolves dependencies.
bun install
bun run lint
bun run typecheck
bun test
bun run build
npm pack --dry-run
The root package export intentionally exposes only the OpenCode plugin function because OpenCode calls every function exported by the root module. Test helpers are available from openai-ws-opencode/testing.
openai-ws-opencode setup --global or add provider.openai-ws manually.opencode auth login openai-ws.opencode auth login openai-ws and choose a ChatGPT OAuth method.openai-ws again before selecting its models.file:// install cannot find ws: use the packed tarball install path or add dependencies to your OpenCode config directory.FAQs
OpenCode plugin for OpenAI Responses WebSocket transport.
The npm package openai-ws-opencode receives a total of 10 weekly downloads. As such, openai-ws-opencode popularity was classified as not popular.
We found that openai-ws-opencode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Research
/Security News
A compromised jscrambler npm release added a malicious preinstall hook that runs hidden native binaries on Linux, macOS, and Windows.

Research
/Security News
A malicious .NET package is typosquatting the Braintree SDK to steal live payment card data, merchant API keys, and host secrets from production apps.

Security News
/Research
Compromised Injective SDK npm version 1.20.21 exfiltrates wallet private keys and mnemonics through fake telemetry functionality.